Configuring a YubiKey for TOTP on OSX

Filed in Tech 3 Comments

I recently got a YubiKey FIDO U2F as part of Yubico and Github’s bromance sale at a fairly heavy discount of $13 off! Mine, including shipping, cost $11. They had issues with the initial keys they sent out being partially configured – if you tried to force setup the FIDO U2F it would brick the key. So now I have two – one that will do HMAC and static passwords (didn’t test anything else, for fear of bricking the key) and another that is a fully working FIDO U2F!

I use the Google Authenticator PAM module to force the use of 2 Factor Auth (2FA) for all my servers. I have a secret pre-made, and it’s already in the Google Authenticator app on my Note 2. I’ll save setting up and configuring the PAM module for another post, this post if just for getting your YubiKey to use the Google PAM module.

First, you need to download the YubiKey personalisation application. It is available here. The GUI tool will also install the command line tools, which we’ll need later. After you’ve installed the personalisation tools and restarted your machine, open them up and insert your YubiKey.

YubiKey Personalisation Tools without the key inserted

Screen Shot 2015-10-16 at 19.45.19

YubiKey Personalisation Tools with the key inserted

Screen Shot 2015-10-16 at 19.46.24

We’ll remove the configuration for Slot 2. This is under Tools

Screen Shot 2015-10-16 at 19.50.25

Delete Configuration

Screen Shot 2015-10-16 at 19.50.40

After you select the relevant slot (in my case, Slot 2), click Delete. You will then see the right hand side notice saying that only Slot 1 is configured

Screen Shot 2015-10-16 at 19.50.52

 

Next we will download and run the yubi_goog python script. This will convert the ssh user’s secret key (generated by Google or something else) into a useable format. For this example, my secret key is JBSWY3DPEHPK3PXP.

wget https://raw.githubusercontent.com/Ramblurr/yubi-goog/master/yubi_goog.py
chmod +x yubi_goog.py

Now we’ll convert the secret key into a YubiKey friendly format.

./yubi_goog.py --convert-secret
 
Google key: JBSWY3DPEHPK3PXP
48656c6c6f21deadbeef

So the script has converted JBSWY3DPEHPK3PXP to 48656c6c6f21deadbeef. We’ll put this into the YubiKey’s configuration for Slot 2.

Click Challenge-Response

Screen Shot 2015-10-16 at 20.00.49

HMAC-SHA1

Screen Shot 2015-10-16 at 20.01.15

We need to configure Slot 2, and put the converted secret key into the Secret Key box. The secret key will be padded with zeros automatically.

Screen Shot 2015-10-16 at 20.01.38

Click Write Configuration

Screen Shot 2015-10-16 at 20.08.51

 

Now we’ll jump back to the command line, and see if our seed works. I have the seed on my phone already using a QR code and the Google Authenticator app. The QR code is below so you can verify.

download

Since the YubiKey doesn’t have a battery, it doesn’t know what time it is. Thus, it makes time based OTP a pain in the ass. To get the OTP from the YubiKey, we need to issue a challenge response to it on the correct slot.

 

ykchalresp -t -6 -2
710876

ykchalresp is included with the personalisation tools app, and does the actual challenge response with the YubiKey by passing in the time ( -t flag ), the number of digits we want back ( -6 flag, for 6 digits ), and the slot ( -2 for slot 2, default is -1 or slot 1 ). If we run this, and hit the button, we’ll get the OTP back, which is 710876. You can confirm this by checking with the output from the Google Authenticator App on your phone – keep in mind that there might be a small bit of clock skew just before or just after the 30 second time window changes.

Updating a Note II to 4.4.2

Filed in Tech Leave a comment

When O2 Ireland got bought out by Three, I feared that all updates for the Note II (N7100) would stop. I was not mistaken – a number of months in, and no updates with no plan to update. The phone is also loaded down with O2 crapware that you cannot remove.

Three support the Note II without issue, and have a 4.4.2 ROM released for the device on SamMobile, so I decided I wanted to make a nice clean cut from O2 Ireland and flash my phone with Three’s ROM. To complicate matters, I’m using a Mac. After some trial and error, I figured out a way to flash the Three ROM onto my Note II and even get to keep all my data intact – i.e. it’s an in-situ upgrade just as if it was an OTA update! This method should not “trip” KNOX (thus voiding your warranty) and will not increase the KNOX counter – for all intents and purposes, it is just like doing an update using Kies or OTA!

Step 1 – Download the firmware

Find the correct firmware from SamMobile. This one worked for me without any issue. SamMobile require you to register with their site, and the download is slow – took me about 2 hours. When it has downloaded, extract the zip file. Inside you will find a tar.md5 file – rename it to be tar.gz and extract that also. You should have a few files in there, such as system.img, boot.img, recovery.img, etc. 

Step 2 -Put the phone in recovery mode

Power off your phone, and plug it into a micro USB cable connected to your laptop. Hold down the Volume Down + Home + Power buttons all at the same time, and the phone should boot up with a photo of the Android logo. Hit the Volume Up button to continue.

Step 3 – Install Heimdall

Download Heimdall from here and install it based on your platform. For OSX / Mac, you will need to restart your machine. Connect your phone to the laptop using a micro USB cable. After you restart, open the Terminal and type

sudo heimdall detect

You should get back

Device detected

Step 4 – Copy the phone’s partition table

In the terminal, type

sudo heimdall download-pit --output /tmp/note2.pit --no-reboot

and should get back something like

Heimdall v1.4.0
 
Copyright (c) 2010-2013, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/
 
This software is provided free of charge. Copying and redistribution is
encouraged.
 
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
 
Initialising connection...
Detecting device...
Claiming interface...
Setting up interface...
 
Initialising protocol...
Protocol initialisation successful.
 
Beginning session...
 
Some devices may take up to 2 minutes to respond.
Please be patient!
 
Session begun.
 
Downloading device's PIT file...
PIT file download successful.
 
Ending session...
Releasing device interface...

If you get errors about ERROR: Claiming interface failed, run the following

sudo kextunload -b com.devguru.driver.SamsungComposite
sudo kextunload -b com.devguru.driver.SamsungACMData
sudo kextunload -b com.devguru.driver.SamsungACMControl

Re-run the PIT download. The error is usually because Kies has decided to be a bollox. You may have to reboot the phone and put it back into recovery mode.

Step 5 – Upload the firmware

This will do the in-situ upgrade. In the terminal, navigate to the folder where you extracted all the .img files, and then run

heimdall flash --pit /tmp/note2.pit --verbose --SYSTEM system.img --BOOT boot.img --RECOVERY recovery.img --CACHE cache.img --HIDDEN hidden.img --RADIO modem.bin --TZSW tz.img --BOOTLOADER sboot.bin

You should see a lot of text, and the blue progress bar will appear on your phone. This will take about 15 minutes.

Heimdall v1.4.0
 
Copyright (c) 2010-2013, Benjamin Dobell, Glass Echidna
http://www.glassechidna.com.au/
 
This software is provided free of charge. Copying and redistribution is
encouraged.
 
If you appreciate this software and you would like to support future
development please consider donating:
http://www.glassechidna.com.au/donate/
 
Initialising connection...
Detecting device...
      Manufacturer: "SAMSUNG"
           Product: "Gadget Serial"
 
            length: 18
      device class: 2
               S/N: 0
           VID:PID: 04E8:685D
         bcdDevice: 021B
   iMan:iProd:iSer: 1:2:0
          nb confs: 1
 
interface[0].altsetting[0]: num endpoints = 1
   Class.SubClass.Protocol: 02.02.01
       endpoint[0].address: 83
           max packet size: 0010
          polling interval: 09
 
interface[1].altsetting[0]: num endpoints = 2
   Class.SubClass.Protocol: 0A.00.00
       endpoint[0].address: 81
           max packet size: 0200
          polling interval: 00
       endpoint[1].address: 02
           max packet size: 0200
          polling interval: 00
Claiming interface...
Setting up interface...
 
Initialising protocol...
Protocol initialisation successful.
 
Beginning session...
 
Some devices may take up to 2 minutes to respond.
Please be patient!
 
Session begun.
 
Downloading device's PIT file...
PIT file download successful.
 
Uploading SYSTEM
0%
1%
 
2%
 
3%
 
4%
 
5%
 
6%
 
7%
 
8%
 
9%
 
10%
 
11%
 
12%
 
13%
 
14%
 
15%
 
16%
 
17%
 
18%
 
19%
 
20%
 
21%
 
22%
 
23%
 
24%
 
25%
 
26%
 
27%
 
28%
 
29%
 
30%
 
31%
 
32%
 
33%
 
34%
 
35%
 
36%
 
37%
 
38%
 
39%
 
40%
 
41%
 
42%
 
43%
 
44%
 
45%
 
46%
 
47%
 
48%
 
49%
 
50%
 
51%
 
52%
 
53%
 
54%
 
55%
 
56%
 
57%
 
58%
 
59%
 
60%
 
61%
 
62%
 
63%
 
64%
 
65%
 
66%
 
67%
 
68%
 
69%
 
70%
 
71%
 
72%
 
73%
 
74%
 
75%
 
76%
 
77%
 
78%
 
79%
 
80%
 
81%
 
82%
 
83%
 
84%
 
85%
 
86%
 
87%
 
88%
 
89%
 
90%
 
91%
 
92%
 
93%
 
94%
 
95%
 
96%
 
97%
 
98%
 
99%
 
100%
SYSTEM upload successful
 
Uploading BOOT
0%
15%
 
31%
 
47%
 
62%
 
78%
 
94%
 
100%
BOOT upload successful
 
Uploading RECOVERY
0%
13%
 
26%
 
39%
 
53%
 
66%
 
79%
 
93%
 
100%
RECOVERY upload successful
 
Uploading CACHE
0%
2%
 
5%
 
8%
 
11%
 
14%
 
17%
 
20%
 
23%
 
26%
 
29%
 
32%
 
35%
 
38%
 
41%
 
44%
 
47%
 
50%
 
53%
 
56%
 
59%
 
62%
 
65%
 
68%
 
71%
 
74%
 
77%
 
80%
 
83%
 
86%
 
89%
 
92%
 
95%
 
98%
 
100%
CACHE upload successful
 
Uploading HIDDEN
0%
1%
 
2%
 
3%
 
4%
 
5%
 
6%
 
7%
 
8%
 
9%
 
10%
 
11%
 
12%
 
13%
 
14%
 
15%
 
16%
 
17%
 
18%
 
19%
 
20%
 
21%
 
22%
 
23%
 
24%
 
25%
 
26%
 
27%
 
28%
 
29%
 
30%
 
31%
 
32%
 
33%
 
34%
 
35%
 
36%
 
37%
 
38%
 
39%
 
40%
 
41%
 
42%
 
43%
 
44%
 
45%
 
46%
 
47%
 
48%
 
49%
 
50%
 
51%
 
52%
 
53%
 
54%
 
55%
 
56%
 
57%
 
58%
 
59%
 
60%
 
61%
 
62%
 
63%
 
64%
 
65%
 
66%
 
67%
 
68%
 
69%
 
70%
 
71%
 
72%
 
73%
 
74%
 
75%
 
76%
 
77%
 
78%
 
79%
 
80%
 
81%
 
82%
 
83%
 
84%
 
85%
 
86%
 
87%
 
88%
 
89%
 
90%
 
91%
 
92%
 
93%
 
94%
 
95%
 
96%
 
97%
 
98%
 
99%
 
100%
HIDDEN upload successful
 
Uploading RADIO
0%
8%
 
16%
 
24%
 
33%
 
41%
 
49%
 
58%
 
66%
 
74%
 
83%
 
91%
 
99%
 
100%
RADIO upload successful
 
Uploading TZSW
0%
100%
TZSW upload successful
 
Uploading BOOTLOADER
0%
100%
BOOTLOADER upload successful
 
Ending session...
Rebooting device...
Releasing device interface...

The phone should reboot automatically, and it will be updated!

Bye Bye RSS

Filed in Tech Leave a comment

Recently both Facebook and Twitter, yet again, changed their methods for accessing a users RSS feed.

Sorry lads, but I’m sick of all the nasty hacks and workarounds. The two statuses in the sidebar shall be no more.

Goodnight, Sweet Prince

Filed in Tech Leave a comment

I’m not a person who particularly had heros when growing up. ~ Dennis Ritchie

Today, news broke that Dennis Ritchie had passed away at aged 70 after a long, but unspecified illness. It is hard to say how much of an impact he has had on computing over the years, as it’s incalculable. Today I found out that we – indeed, all of us – have lost our Father… He has been free()’d.

 

In honor of his life’s work, I have made a shrine to him in the office. Without Dennis, none of us would be doing what we are doing, today. He wasn’t simply a figure in the landscape, he was a shaper of the landscape. We’ve all lost a hero.

Tech Bubble

Filed in Tech Leave a comment

Funny thing is, I don’t know if I should take the title seriously.

Saving bandwidth with Maths

Filed in Tech Leave a comment

Instead of us sending files through the internet, we should simply send mathematical formulas and the answers. Sure, compression does this, but I’ve come up with a better idea.

  1. MD5Sum the file
  2. SHA2 the file
  3. Send the MD5, SHA2 and the file size to the other computer
  4. Compute the answer

The implementation is left as an exercise for the reader

Thoughts on the Amazon outage

Filed in Tech 6 Comments

Disaster Recovery needs to be a primary objective when planing and implementing any IT project, outsourced or not. The ‘Cloud’ isn’t magic, the ‘Cloud’ isn’t fail-proof, the ‘Cloud’ requires hardware, software, networking, security, support and execution – just like anything else.

All the fancy marketing speak, recommendations and free trials, can’t replace the need to do obsessive due diligence before trusting any provider no matter how big and awesome they may seem or what their marketing department promise.

Why do Data Centers have UPS and Diesel Generators on-site? They know electricity can and does fail.

Why do we buy servers will dual power supplies? We know they can and do fail.

Why do we implement RAID? We know hard drives can and do fail.

Prepare for the worst, period.

Putting all of your eggs in one cloud, so to speak, no matter how much redundancy they say they have seems to be short-sighted in my opinion. If you are utilizing an MSP, HSP, CSP, IAAS, SAAS, PAAS, et all to attract/increase/fulfill a large percentage of your revenue or all of your revenue like many companies are doing nowadays then you need to assume that all vendors will eventually have an issue like this that affects your overall uptime, brand and churn rate. A blip here and there is tolerable.

Amazon’s downtime is stratospherically high, and their prices are spectacularly inflated. Their ping times are terrible and they offer little that anyone else doesn’t offer. Anyone holding them up as a good solution without an explanation has no idea what they’re talking about.

The same hosting platform, as always, is preferred: dedicated boxes at geographically disparate and redundant locations, managed by different companies. That way when host 1 shits the bed, hosts 2 and 3 keep churning.

Nobody who has even a rudimentary best-practice hosting setup has been affected by the Amazon outage in any way other than a speed hit as their resources shift to a secondary center.

Stop following the new-media goons around. They don’t know what they’re doing. There’s a reason they’re down twice a month and making excuses.

Personally, I do not use a server for “mission critical” applications that I cannot physically kick. Failing that, a knowledgeable SysAdmin that I can kick.

Disable WordPress Plugins

Filed in Open Source | Tech Leave a comment

All too often, I see a WordPress plugin misbehaving or causing a lot of grief – often locking the user out from wp-admin, which prevents them from disabling the dodgy plugin in the first place.

There are a number of ways that you can disable the plugins, and a quick Google recommends that you go into the database (most people would access a MySQL Database from PHPMyAdmin) and make changes.

The simplest way, that does not involve messing with the database is:

Rename the plugins folder

  1. Fire up your FTP program (I use FileZilla) and rename the plugins folder in wp-content to, say, plugins-broken.
  2. Try accessing wp-admin again, with any luck it will load.
  3. To revert, simply create a plugins folder in wp-content and move each plugin, one by one, into this new folder.

Mess with the database

This method will disable all the plugins, and should leave the settings intact. This is my favorite method. Use this at your own risk.

  1. Go into PHPMyAdmin
  2. Click the database name up the top left
  3. Click the SQL tab
  4. Put the following into the box and click “Go”
UPDATE wp_options SET option_value = 'a:0:{}' WHERE option_name = 'active_plugins';

An open note to Packard Bell about Recovery disks

Filed in Odd Crap | Tech Leave a comment

Evening,

I made a complete balls of my Windows Install including the recovery partition, and the self made recovery DVD’s are scratched beyond recognition.

Is it possible to get the CD’s off of you?

Regards,

Nick


Hello, Thank you for contacting Packard Bell.

Regarding your enquiry,

For information about availability and prices, please call the Packard Bell Sales & upgrade Department on 0871 467 0008 during office hours (9.00 a.m. until 5.30 p.m.). Disc sets would cost £50 and take approximately 10-15 working days for delivery.

When contacting our Sales & upgrade Department please mention the computer’s serial number to assure an efficient response.

Thank you for contacting Packard Bell. We look forward to hearing from you soon

Regards

Packard Bell UK Customer Support Team


Good Evening,

I’m afraid I cannot afford fifty of your British Pounds Sterling as my owl has eaten all the money I had hidden in the sugar bowl (FYI – Owls on sugar is like Lindsey Lohan on coke).

I have attached a self portrait of myself. I am a well renowned artist, brother, lover and ginge – currently King of the Gingers for five consecutive years, with every year involving a bear knuckle boxing match which takes place in a blue horsebox being pulled by a Massie 135 through the village center. Two men enter, one man leaves… then the other man leaves a short time later.

The current price for my artwork is seventy five pound sterling, which is 182 German Deutsche Marks or 1024768 Itchy and Scratchy Dollars and by reading this email you accept my portrait as full payment for any fees incured now or in the future including, but not limited to; postage, panda attack, sexual harassment lawsuits, incarceration due to pantlessness, or the purchase of new pants.

I await in joyfull hope for the coming of the flying Spaghetti Monster and to hear from you soon regarding the postage of the CD’s.

Regards,

Dr.Nicholas Ignatious Gerard Geoghegan-Eta Rossa, PhD, ASCII, WPA, TELNET

Nick - Age 24


Hello, Thank you for contacting Packard Bell.

Regarding your enquiry,

The picture was excellent, and the email was funny, however we can only provide recovery CD’s for usual fee of £50.

Regards

Steve
Packard Bell Support Team


My Dearest Steve,

How have you been?

It’s been a long time, far far too long. Every time I see a clear blue sky I am reminded of you. Do you remember that fresh, warm, June afternoon we spent together by the lake all those years ago?

We were so young and carefree back then, filled with pith and vinegar. It’s hard to look back and believe we were so naive back then – but that is the folly of youth. Do you remember the boat Captain, with his weather worn, scared face? He passed away two years ago, it was a beautiful funeral. Flowers and brass adorned every part of his rich, oaken coffin. I thought I’d see you there, but you never showed.

I still look back on that day with fondness, that was the day we stopped being children and became men… we grew up so much in that single day. I still remember the cucumber and jam sandwiches? How we thought cucumber and raspberry jam together would be nice I’d never know!

When I close my eyes at night, I can still feel your warm embrace. We both know what we were doing was wrong in the eyes of God, but it felt so right. I’ve taught myself to keep those urges under control, but seeing your email has made all those emotions come flooding back to me.

I will be perfectly candid and straight, I’ve found a wife and we married a few years ago but the love I feel for her is different to our love. Our beautiful, passionate love.

I really do hope you like the picture I sent previously. I hope that seeing it wasn’t difficult for you. Trying to find the courage and will to reply to your email has been mentally, emotionally and physically exhausting for me.

By replying to my last email you have indicated that you accept my End User Licence Agreement and I can’t wait to receive the Recovery Disks in the post – hopefully scented with your musk. When you are ready to post the disks, please let me know and I’ll tell you my home address… Do with it as you will, but please be discreet.

Forever yours,

Dr.Nicholas Geoghegan, PhD, CDRW, TCP/IP, GCC-CPP


Hello, Thank you for contacting Packard Bell.

Regarding your enquiry,

Unfortunateley [sic] you will need to contact the call centre to obtain recovery CD’s. Their number is 0871 467 0008.

We apologise for any inconvenience this may have caused.

Regards

Mark
Packard Bell Support Team

TOP